Investigating a Suspicious Domain using RiskIQ Host Pairs - RiskIQ

VIDEO

Investigating a Suspicious Domain using RiskIQ Host Pairs

In this exercise, you have been given a domain antivirus.safetynote.xyz from an old firewall log to investigate.

You are tasked with investigating why your internal users accessed this site. You need to determine if the site is still online and if it was legitimate or malicious. If the site were malicious, are there any other malicious sites associated with it?

After your investigation, you should be able to determine if there were any malicious sites that should be blocked in your firewall.

RiskIQ has many unique data sets. Today we will be discussing host pairs. Host pairs are a unique relationship between websites. Host pairs have a parent child relationship depending on how they are linked. Host pairs provide an understanding of redirection sequences and dependent requests of websites.

RiskIQ uses virtual user technology to to crawl websites with more than 500 different points of egress in over 150 different countries. These virtual users look and act like real users; they appear to be coming from mobile and desktop computers, using different types of operating systems and browsers. Their IP addresses are from residential, corporate, and mobile IP space. When RiskIQ’s virtual users visit a website, they present cookies, follow links, and download files just like real users do. By acting like real users, they uncover stealthy attacks and relationships between domains that normally go unnoticed by other security vendors.

Open your browser and go to www.passivetotal.org/home. Login with your credentials. If you do not have credentials, click on the register now link to obtain your free Community Edition credentials.

In the Discovery window type: antivirus.safetynote.xyz and hit the enter key.

As you can see in the heatmap above, we see that there are no results for the last six months. In the middle section, we see the data bar. If I select a period of time that has blue squares in it, it will automatically refresh when I click on it to show me that period of time. If we look at the last entry, we see that the last time that the site was active was on 9-21-2016.

Now I’ll reset the data bar.

Click on the WHOIS data tab. WHOIS information lists the registered owner and administrators of the domain. During domain registration, privacy protection can be purchased to hide the real owner and administrator of the domain. This means that the information listed is the contact information of the registration company and not the actual owner of the domain. If you need to contact the real domain owner or administrator, you must go through the privacy protection company listed. Most of the time, that company that was used to register the domain.

Here we can see that safetynote.xyz domain is privacy protected. Sometimes privacy protection is placed on a domain at a later time. Since RiskIQ has a long history of domain registrations, we can use the change history section to look at older domain registrations. It appears that all the previous registrations were privacy protected.

Now Click on the Subdomain data tab. You notice that antivirus.safetynote.xyz is colored red and has a few tags. The tag from PassiveTotal means that RiskIQ has made the determination about this website. The other tags state that this subdomain is Malicious, involved with phishing, and typo-squatting domains.

Click on the Host Pair data tab. We see that 38 different sites are associated with the site antivirus.safetynote.xyz. Most of the domains appear to be typo-squatted. According to Wikipedia, typosquatting, also called URL hijacking, is a form of cybersquatting, and possibly brand infringement which relies on mistakes such as typographical errors made by the user users when inputting a website into a web browser. Should a user accidentally mistype a website address, like united.com but typed united.om this may be led to any URL including malicious website owned by a cybersquatter or threat actor.

By looking at the direction and cause of the host names we see that these domains are mostly going to antivirus.safetynote.xyz. They are considered children of the parent domain antivirus.safteynote.xyz.

What must happen to make a typosquatted domain illegal? The typosquatted domain needs to be using the logos or brand from the real website to be illegal. This is called domain infringement. Then when the same site also has a login section, it could also be considered a phishing site.

Click on united.om and check the WHOIS information to see if we can determine who registered the site. The site is also privacy protected.

Now, if we go back to antivirus.safetynote.xyz, we can look at all of the different domains that should also be blocked in your firewall. Now, if we take a look at the other redline that is listed here, track.mcwtg400.com, we notice that is a parent redirect, which means that antivirus.safetynote.xyz is a child of that parent, sending traffic to that site.

Now let’s review the results of your investigation. We determined that many different typo-squatted domains were being forwarded to antivirus.safetynote.xyz.

Therefore, the typo-squatted domains are the children and the antivirus.safetynote.xyz is the parent.

If any user went to one of the typo-squatted domains (united.om, Wall Street Journal wsj.om, or dropbox.om) their browser would automatically be redirected to the parent domain antivirus.safetynote.xyz where the malicious code or phishing sites was running. We also determined that antivirus.safetynote.xyz was forwarding its website to track.mcwtg400.com that was also tagged as a malicious and phishing site.

We hope you enjoyed this video on how to investigate a suspicious domain to gain more information about a threat actor.

If you want to learn more about the products that RiskIQ sells, visit us on the web; for sales inquiries, you can call us at 1.888.415.4447 or email us at sales@www.riskiq.com